We take security, trust, and transparency seriously. Cloudflare appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to Cloudflare and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to Cloudflare.
If you believe you have found a security vulnerability that could impact Cloudflare or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow Cloudflare’s Vulnerability Disclosure Policy and HackerOne’s Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
Any web properties owned by Cloudflare are in scope for the program. Including:
Cloudflare customer sites are out of scope for our Vulnerability Disclosure program.
In order for your submission to be eligible:
All legitimate reports will be reviewed and assessed by Cloudflare’s security team to determine if it is eligible.
As mentioned in our Privacy and Security Policy, Cloudflare's website and services are not intended for, or designed to attract, individuals under the age of 18. Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the age of 18 will not be eligible to receive Cloudflare service rewards. We will find another way to recognize your effort.
For each eligible vulnerability report, the reporter will receive:
The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.Submit a report